It is often desirable to ensure that a printed document has not been altered or tampered with in some unauthorised manner from the time the document was first printed. For example, a contract that has been agreed upon and signed on some date may subsequently be fraudulently altered. It is desirable to be able to detect such alterations in detail. Similarly, security documents of various sorts including cheques and monetary instruments record values, which are vulnerable to fraudulent alteration. Detection of any fraudulent alteration in such document is also desirable. Further, it is desirable that such detection be performed automatically, and that the detection reveal the nature of any alteration.
In addition to detection of fraudulent alteration or tampering with a document, it is desirable that printed documents offer a visible deterrent to fraudulent alteration.
Various methods of deterring and detecting fraudulent alteration to documents have been proposed and used.
One class of methods that was in use before high quality color scanners and printers became commonly available, was to print important information such as monetary amounts in special fonts or with special shadows that were, at the time, difficult to reproduce. However, with modern printers and scanners, such techniques have become vulnerable to attack.
One known method of detecting alteration of a document uses a two dimensional (2D) barcode printed on one part of a document page to encode (possibly cryptographically) a representation of some other portion of the document, such as a signature area. This 2D barcode can be decoded and a resulting image compared by an operator to the area the barcode is intending to represent to check for similarity. Existing variants of such barcode protection may be divided into two categories.
The first category of 2D-barcode protection involves embedding a portion of a document's semantic information into a 2D barcode. Often, such semantic information may be hashed and encrypted. However, this first category of barcode protection does not allow non-textual documents to be protected. The second category of 2D-barcode protection treats a document as an image and embeds a portion of the image in a barcode. However, embedding a portion of the image in the barcode may cause the barcode to become very large. In this instance, automatic verification at a fine granularity is not possible, as the image embedded in the barcode cannot be automatically lined up with the received document.
A related body of work is detection of tampering in digital images that are not subject to print/scan cycles. In this regard a number of “fragile watermark” methods are known. However, these methods are generally not applicable to tamper detection in printed documents since they cannot withstand the introduction of noise, Rotation, Scaling and Translation (RST), re-sampling, and local distortion that occurs in a print/scan cycle. Some of these fragile watermark methods operate by replacing all or some of the least significant bits of pixels of an image with some form of checksum of remaining bits in each pixel.
A number of “semi-fragile watermark” methods are also known. These include methods that use cross-correlation to detect the presence of a lightly embedded shifted copy of a portion of an image. Another known semi-fragile watermark method embeds watermarks into image blocks, and then compares the detection strength of these watermarks to discern if any blocks have been altered. These semi-fragile watermark methods tend to have less localisation ability as their detection ability improves, and as their localisation ability improves, these methods become more sensitive to noise and other distortions and so cannot be used to detect local changes in printed documents.
Other known methods of detecting alterations in digital images use special materials to make alteration difficult. Such methods include laminates covering the printed surface of a document where damage to the laminate is obvious. However using special materials introduces production complexity, and is not applicable to plain paper applications. These known methods are also not amenable to automatic detection.
An additional failing in many existing methods is weak cryptographic security. In many cases, once the cryptographic algorithm being employed is identified, identification leads directly to a subversion method to attack the identified method.
Another common failing of present methods of detecting alterations to digital images is the distribution of alteration detection information over wide areas of a page, or even areas completely separate to the image area to be authenticated (as in the barcode method above). This introduces problems if there is incidental soiling of the document in areas apart from the image area being authenticated. Many of these methods cannot be used to authenticate the entire area of a document, so documents must be specifically designed to accommodate the methods.
A still further class of methods of detecting alterations to documents uses independent transfer of information about the original unaltered form of a document to verify the document. This could be as simple as a telephone call to a person with independent knowledge, and may extend to keeping a complete copy of the document in a secure location. Such methods have many practical disadvantages since they require handling and storage of such independent information.